Disclosure of Invention
The invention provides a method, a device, equipment and a storage medium for positioning risk codes, which are used for detecting dynamic illegal behaviors of an application program to be detected and accurately positioning the risk codes causing the illegal behaviors.
In a first aspect, an embodiment of the present invention provides a method for positioning a risk code, including:
running test is carried out on an application program to be tested installed in an operating system, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained;
The log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process;
Analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information;
and according to the implementation thread recursion inquiring thread record file, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
Optionally, before performing the running test on the application to be tested installed in the operating system, the method further includes:
Acquiring a source code file of an operating system;
Adding a dotting code at a new thread creation position in a source code file, and adding the dotting code at least one system function position to be monitored in the source code file;
And installing a source code file added with dotting codes in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
Optionally, performing an operation test on the application program to be tested installed in the operating system includes:
performing operation test on an application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
before running test is carried out on the application program to be tested installed in the operating system, the method further comprises the following steps:
Intercepting a new thread creation position in a source code file of an operating system by utilizing an sandbox, and adding a dotting code at the new thread creation position;
intercepting at least one system function position to be monitored in a source code file of an operating system by utilizing a sandbox, and adding dotting codes into each system function position to be monitored;
and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
Optionally, performing an operation test on the application program to be tested installed in the operating system includes:
responding to trigger operation of dotting codes of new thread creation positions in a source code file, acquiring identification of a parent thread, identification of a child thread and a call stack of the parent thread, and storing the identification, the identification and the call stack of the parent thread into a thread record file corresponding to an operating system;
and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to an operating system.
Optionally, performing an operation test on the application program to be tested installed in the operating system includes:
Responding to the trigger operation of the dotting code of the new thread creation position in the sandbox, acquiring the identification of the father thread, the identification of the child thread and the call stack of the father thread, and storing the identification, the child thread and the call stack of the father thread into a thread record file corresponding to the sandbox;
and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to the sandbox.
Optionally, analyzing the log file and identifying a thread for implementing a target system function for acquiring the privacy information of the user, including:
acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information or not;
And if the target operation information comprises the user privacy information, using the identification of the target thread matched with the target operation information in the log file as the identification of the realization thread of the target system function for acquiring the user privacy information.
Optionally, locating risk codes that match the originating thread includes:
Acquiring a call stack of an origin thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the stack bottom to the stack top;
And locating the risk code matched with the origin thread according to the function name of the first non-operating system.
In a second aspect, an embodiment of the present invention further provides a positioning device for risk codes, including:
the acquisition module is used for performing running test on an application program to be tested installed in the operating system, and acquiring a log file and a thread record file corresponding to the operating system after the test is finished;
The log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process;
the analysis module is used for analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information;
and the positioning module is used for recursively inquiring the thread record file according to the realization thread, acquiring the origin thread matched with the realization thread and positioning the risk code matched with the origin thread.
In a third aspect, an embodiment of the present invention further provides an electronic device, including:
One or more processors;
Storage means for storing one or more programs,
When the one or more programs are executed by the one or more processors, the one or more processors implement the method for locating risk codes provided by any embodiment of the present invention.
In a fourth aspect, embodiments of the present invention further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method for locating a risk code provided by any embodiment of the present invention.
According to the technical scheme, the application program to be tested installed in the operating system is subjected to operation test, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; according to the method, a thread record file is recursively inquired by an implementation thread, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of the risk code violating privacy in the source code cannot be traced in the prior art is solved, dynamic illegal behaviors of an application program to be detected can be detected, and the risk code causing the illegal behaviors can be accurately positioned.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a risk code positioning method according to a first embodiment of the present invention, where the present embodiment may be applied to determining a risk code causing an offence, and in the case of a specific location in an application to be tested or an operating system, the method may be performed by a risk code positioning device, which may be implemented by hardware and/or software, and may be generally integrated in an electronic device, such as a terminal device, that provides a risk code positioning service. As shown in fig. 1, the method includes:
And 110, performing running test on the application program to be tested installed in the operating system, and acquiring a log file and a thread record file corresponding to the operating system after the test is finished.
The log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises calling relations among threads of the operating system in the test process.
In this embodiment, the operating system may be an iOS operating system, an android operating system, or other operating systems capable of running application programs, and after the application program to be tested is installed in the operating system, the application program to be tested is normally run in the operating system, so as to detect whether the application program to be tested or the operating system has an illegal action that violates the privacy information of the user.
In this embodiment, in order to record suspicious operation information of the operating system or the application to be tested in real time during the running process of the application to be tested in the operating system, a dotting code may be added in advance at a position in the source code of the operating system where the user privacy behavior may be violated.
Optionally, before performing the running test on the application to be tested installed in the operating system, the method may further include: acquiring a source code file of an operating system; adding a dotting code at a new thread creation position in a source code file, and adding the dotting code at least one system function position to be monitored in the source code file; and installing a source code file added with dotting codes in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
In this embodiment, for the case that the source code of the operating system can be obtained, the source code file of the operating system is obtained, for example, for an open android operating system, the source code file of the operating system can be downloaded. Then, source codes which can infringe privacy behaviors of a user are searched in the source code file, for example, an operating system creates source codes of new threads or source codes corresponding to system functions which call a camera, open a microphone and wait for monitoring, and dotting codes are added at the creation position of the new threads and at least one system function position to be monitored. And then, the source code file added with the dotting code is installed in a test terminal where the application program to be tested is located, so that an operating system is generated in the test terminal, and the application program to be tested is installed in the operating system, so that whether a risk code infringing the privacy behavior of the user exists in the application program to be tested or in the operating system is monitored.
The system function to be monitored can be any function provided by the operating system for the application program to be monitored to use, the system function to be monitored is realized by the operating system instead of the application program to be monitored, and the application program to be monitored only uses the system function.
Optionally, performing the operation test on the application program to be tested installed in the operating system may include: performing operation test on an application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
before performing the operation test on the application program to be tested installed in the operating system, the method can further comprise: intercepting a new thread creation position in a source code file of an operating system by utilizing an sandbox, and adding a dotting code at the new thread creation position; intercepting at least one system function position to be monitored in a source code file of an operating system by utilizing a sandbox, and adding dotting codes into each system function position to be monitored; and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
In this embodiment, in order to record suspicious operation information of an application program to be tested or an operating system in real time in the running process of the application program to be tested, a sandbox technology may be used to intercept a new thread creation position in a source code file of the operating system and at least one system function position to be monitored through a hook function, and add a dotting code at each position. And then installing the sandbox added with the dotting code into an operating system, providing a virtual operating system environment by the sandbox, and installing the application program to be tested into the sandbox, so that the sandbox can acquire all operating information of the application program to be tested and the operating system.
Optionally, performing the operation test on the application program to be tested installed in the operating system may include: responding to trigger operation of dotting codes of new thread creation positions in a source code file, acquiring identification of a parent thread, identification of a child thread and a call stack of the parent thread, and storing the identification, the identification and the call stack of the parent thread into a thread record file corresponding to an operating system; and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to an operating system.
In this embodiment, when the operating system creates a thread, a dotting code added at a new thread creation location is called, an identifier of a parent thread, an identifier of a newly created child thread, and a call stack of the parent thread are obtained, and stored in a thread record file, so as to record a relationship between threads. Wherein the identification of the thread can be obtained by combining the identifier of the thread and the identifier of the corresponding process of the thread in the operating system. In a call stack of a thread, function names called by the thread are sequentially stored from the stack bottom to the stack top, and the function names can be used for recording the call sequence of functions and positioning the position of a risk code in a source code. When the operating system realizes the system function to be monitored, calling the dotting code added at the position to record the characteristic information such as the operation type, specific operation, operation data and the like of the operating system at the position, realizing the identification of the thread of the function to be monitored and the call stack of the thread, and storing the recorded data in a log file. Wherein the operation type and the specific operation are used for analyzing the violation type of the violation.
Optionally, performing the operation test on the application program to be tested installed in the operating system may include: responding to the trigger operation of the dotting code of the new thread creation position in the sandbox, acquiring the identification of the father thread, the identification of the child thread and the call stack of the father thread, and storing the identification, the child thread and the call stack of the father thread into a thread record file corresponding to the sandbox; and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to the sandbox.
In this embodiment, when a thread is created by sandbox, a dotting code added at the creation position of the new thread is called, the identity of the parent thread, the identity of the newly created child thread, and the call stack of the parent thread are obtained, and stored in the thread record file, so as to record the relationship between threads. When the system function to be monitored is realized through the sandbox, calling the dotting code added at the position to record the characteristic information such as the operation type, specific operation, operation data and the like of the sandbox at the position, realizing the identification of the thread of the function to be monitored and the call stack of the thread, and storing the recorded data in a log file.
And 120, analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information.
Optionally, analyzing the log file and identifying the implementation thread of the target system function for obtaining the privacy information of the user may include: acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information or not; and if the target operation information comprises the user privacy information, using the identification of the target thread matched with the target operation information in the log file as the identification of the realization thread of the target system function for acquiring the user privacy information.
In this embodiment, after the log file and the thread record file are obtained, each piece of operation information is obtained from the log record file, and whether the thread corresponding to each piece of operation information has illegal behaviors is sequentially determined. Taking the target operation information as an example, judging whether the target operation information comprises the plaintext of the user privacy information, such as the information of a user contact way, a user identification card number, a user mailbox and the like, if so, capturing the illegal action, and taking the thread identification matched with the target operation information as the identification of the realization thread of the target system function for acquiring the user privacy information.
And 130, recursively inquiring the thread record file according to the implementation thread, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
In this embodiment, after capturing an implementation thread with an offence, in order to trace back to the creator of the implementation thread, to find a real thread caller, the implementation thread may be used as a current thread, a thread record file is recursively queried according to an identifier of the current thread, an identifier of a parent thread of the current thread is obtained, the parent thread is used as the current thread, and the operation of recursively querying the thread record file according to the identifier of the current thread is performed in a return manner until the parent thread of the current thread cannot be found, and the current thread is used as an origin thread matched with the implementation thread. The originating thread may be a thread in an application program to be tested or a thread in an operating system.
Optionally, locating the risk code that matches the originating thread may include: acquiring a call stack of an origin thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the stack bottom to the stack top; and locating the risk code matched with the origin thread according to the function name of the first non-operating system.
In this embodiment, function names of the threads which are sequentially called are stored from the stack bottom to the stack top in the call stack of the threads, so after the originating thread is determined, the call stack of the originating thread is obtained from the log file, and the function names of the first called non-operating system are searched one by one from the function names from the stack bottom to the stack top according to the function call sequence, and then the function names are the function names of the violation functions called by the originating thread, and according to the function names, the specific positions of the risk codes causing the violation behavior in the source code can be located, so that the risk codes can be modified, and the continuous occurrence of the violation behavior is avoided.
According to the technical scheme, the application program to be tested installed in the operating system is subjected to operation test, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; according to the method, a thread record file is recursively inquired by an implementation thread, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of the risk code violating privacy in the source code cannot be traced in the prior art is solved, dynamic illegal behaviors of an application program to be detected can be detected, and the risk code causing the illegal behaviors can be accurately positioned.
Example two
Fig. 2 is a flowchart of a risk code positioning method in a second embodiment of the present application, which is further refined on the basis of the foregoing embodiment. A method for locating a risk code according to a second embodiment of the present application is described below with reference to fig. 2, and includes the following steps:
step 210, judging whether the source code file of the operating system of the test terminal where the application program to be tested is located can be obtained, if yes, executing step 220, otherwise, executing step 250.
In this embodiment, in order to record suspicious operation information of an operating system or an application program to be tested in real time during the running process of the application program to be tested, a dotting code needs to be added in advance at a position in a source code of the operating system, where privacy behaviors of a user may be violated, so that it needs to be determined whether a source code file of the operating system can be directly acquired.
For example, it is assumed that whether a plaintext of personal information of a user is submitted in an http request of an android browser application is to be detected, that is, an application program to be detected is an android browser, and an operating system is an android operating system, and since the android operating system is open-source, a source code file of the operating system can be obtained. It is also assumed that whether a file written by an iOS application contains a plaintext of the user identification card number is detected, that is, the os is an iOS os, and because the iOS os is not open, a source code file of the os cannot be obtained.
Step 220, obtaining a source code file of the operating system, adding a dotting code at a new thread creation position in the source code file to record the identifications of the father thread and the created child thread and the call stack of the father thread, and storing the call stack into a thread record file corresponding to the operating system.
Illustratively, a dotting code is added in a position of creating a new thread in a source code file of an android operating system, for example, in a java, lang, thread, android, handle and the like, so that when the java, lang, thread and the like are executed, an identification of a parent thread, an identification of a child thread and a call stack of the parent thread can be correspondingly stored in a thread record file, and the relationship between the threads is recorded.
And 230, adding a dotting code in at least one system function position to be monitored in the source code file to record the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the dotting code in a log file corresponding to the operating system.
The system function location to be monitored can be a calling location of the system authority and other function locations which are easy to be violated.
Illustratively, the dotting codes are embedded in the org.apache.http.clients.methods.httpset class and the org.apache.http.clients.methods.httppost class of the android operating system, so that when the dotting codes are triggered, the operation information of the position is recorded, for example, the operation type of the position is network operation, the specific operation action is httpset or HttpPost, the operation content is submitted text, the identification of the current thread and the call stack of the thread, and the data are written into a log file, so that whether the later analysis is illegal or not according to the log file.
And 240, compiling a source code file added with the dotting codes, generating ROM (read only memory), burning the ROM into a test terminal, and installing the application program to be tested into the test terminal.
Illustratively, compiling a source code file of an android operating system added with dotting codes, generating ROM (read only memory), burning the ROM on a Google's native mobile phone, and installing an android browser to be detected on the mobile phone. For an android system, a ROM generated by compiling a system source code is a file named system. Img, and the size of the ROM is between hundreds of MB and several GB, so that the ROM is used for programming on an android mobile phone.
Step 250, intercepting the position of creating the new thread by using the sandbox and adding a dotting code to record the identification of the parent thread and the created child thread and the call stack of the parent thread, and storing the record file of the thread corresponding to the sandbox.
Illustratively, using the iOS sandbox, the location in the source code file of the operating system where the new thread is created is intercepted by a hook function, e.g., class NSThread in the hook source code file, and a dotting code is added, so that when class NSThread is executed, the identity of the parent thread, the identity of the child thread, and the call stack of the parent thread can be correspondingly stored in a thread record file, and the relationship between threads is recorded.
And 260, intercepting at least one system function position to be monitored in the source code file by using a hook function, adding a dotting code to record the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the record in a log file corresponding to the sandbox.
In this embodiment, an sandbox is used to intercept the calling location of the system authority in the source code file and other function locations where violations are likely to occur, and add a dotting code, for example, NSFILEMANAGER types in the hook source code file, at each location, and add the dotting code, so that when the dotting code is triggered, the operation type at the location is recorded as file operation, a specific operation action is a write file, the operation content is a saved data text, and the identity of the current thread and the calling stack of the thread, and these data are written into a log file, so that whether violations exist can be analyzed according to the log file later.
For the iOS operating system, the system authority refers to the capability of invoking the authority of the camera, the microphone, the positioning and the like, and only if a user explicitly clicks the permission authority, the authority of the application program to be tested is granted, the application program to be tested can use the resources of the camera, the microphone and the like of the operating system.
And 270, compiling a sandbox added with the dotting codes, installing the sandbox into the test terminal, and installing the application program to be tested into the test terminal in a sandbox application mode.
In this embodiment, the sandbox added with the dotting code is compiled and installed in the test terminal, and then the application program to be tested is installed in the sandbox.
And 280, running the application program to be tested, and simultaneously capturing a log file and a thread record file.
The android browser is operated in an operating system or the iOS application is operated in a sandbox, the function of the application to be tested is normally used, and meanwhile, log files and thread record files generated in the operation process of the application to be tested are grabbed.
Step 290, analyze the log file and thread record file, trace back the risk code through the call stack of the thread in the file.
The method includes the steps of checking a log file and a thread record file corresponding to an operating system, checking the httpset type and HttpPost type logs in the log file, checking whether the operation content in the log contains plaintext of personal information of a user, and if so, determining that the browser application is illegal, wherein at the moment, the specific position of a source code triggering the illegal can be traced accurately through a call stack of a thread in the thread record file.
The method includes the steps of checking a log file and a thread record file corresponding to the sandbox, checking NSFILEMANAGER types of logs in the log file, checking whether operation content in the log contains a user identification card number plaintext, if so, determining that the iOS application has illegal behaviors, and precisely tracing the specific position of a source code triggering the illegal behaviors through a call stack of a thread in the thread record file.
In this embodiment, according to the call stack of the thread, locating the risk code triggering the violation may include: and (3) taking the identification of the target thread matched with the target operation information in the log file as the identification of the realization thread of the target system function for acquiring the user privacy information, recursively inquiring the thread record file according to the identification of the realization thread, acquiring the origin thread matched with the realization thread, acquiring a call stack of the origin thread from the log file, and searching the function names of the first called non-operating system one by one from the function names from the bottom to the top of the stack according to the function call sequence, wherein the function names are the function names of the illegal functions called by the origin thread, and positioning the specific positions of the risk codes causing illegal behaviors in the source codes according to the function names.
According to the technical scheme, the application program to be tested installed in the operating system is subjected to operation test, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; according to the method, a thread record file is recursively inquired by an implementation thread, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of the risk code violating privacy in the source code cannot be traced in the prior art is solved, dynamic illegal behaviors of an application program to be detected can be detected, and the risk code causing the illegal behaviors can be accurately positioned.
Example III
Fig. 3 is a schematic structural diagram of a risk code positioning device according to a third embodiment of the present invention, where the present embodiment is applicable to determining risk codes causing illegal actions, and the device may be implemented by hardware and/or software in a specific location in an application to be tested or an operating system, and may be generally integrated in an electronic device, such as a terminal device, that provides a risk code positioning service. As shown in fig. 3, the apparatus includes:
an obtaining module 310, configured to perform an operation test on an application program to be tested installed in an operating system, and obtain a log file and a thread record file corresponding to the operating system after the test is completed;
The log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process;
The parsing module 320 is configured to parse the log file and identify a thread for implementing a target system function for obtaining user privacy information;
The positioning module 330 is configured to recursively query the thread record file according to the implementation thread, obtain an origin thread matched with the implementation thread, and position a risk code matched with the origin thread.
According to the technical scheme, the application program to be tested installed in the operating system is subjected to operation test, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; according to the method, a thread record file is recursively inquired by an implementation thread, an origin thread matched with the implementation thread is obtained, and a risk code matched with the origin thread is positioned, so that the problem that the position of the risk code violating privacy in the source code cannot be traced in the prior art is solved, dynamic illegal behaviors of an application program to be detected can be detected, and the risk code causing the illegal behaviors can be accurately positioned.
Optionally, the method further comprises: the first embedded point module is used for acquiring a source code file of the operating system before running test is carried out on an application program to be tested installed in the operating system; adding a dotting code at a new thread creation position in a source code file, and adding the dotting code at least one system function position to be monitored in the source code file; and installing a source code file added with dotting codes in the test terminal to generate an operating system, and installing an application program to be tested in the test terminal.
Optionally, the obtaining module 310 is configured to: performing operation test on an application program to be tested installed in the sandbox; the sandbox is installed in the operating system;
The apparatus further comprises: the second embedded point module is used for intercepting a new thread creation position in a source code file of the operating system by utilizing an sandbox before running and testing an application program to be tested installed in the operating system, and adding a dotting code at the new thread creation position; intercepting at least one system function position to be monitored in a source code file of an operating system by utilizing a sandbox, and adding dotting codes into each system function position to be monitored; and installing a sandbox added with the dotting code in the test terminal, and installing the application program to be tested in the sandbox.
Optionally, the acquiring module 310 includes: the first obtaining subunit is used for responding to the trigger operation of the dotting code of the new thread creation position in the source code file, obtaining the identification of the father thread, the identification of the child thread and the call stack of the father thread, and storing the identification, the identification and the call stack of the child thread into a thread record file corresponding to an operating system; and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the source code file, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to an operating system.
Optionally, the acquiring module 310 includes: the second obtaining subunit is used for responding to the trigger operation of the dotting code of the new thread creation position in the sandbox, obtaining the identification of the father thread, the identification of the child thread and the call stack of the father thread, and storing the identification, the identification and the call stack of the father thread in the thread record file corresponding to the sandbox; and responding to the triggering operation of the dotting code of at least one system function position to be monitored in the sandbox, acquiring the identification of the current thread, the operation information of the current position and the call stack of the current thread, and storing the identification, the operation information and the call stack of the current thread in a log file corresponding to the sandbox.
Optionally, the parsing module 320 is configured to: acquiring target operation information in a log file, and judging whether the target operation information comprises user privacy information or not; and if the target operation information comprises the user privacy information, using the identification of the target thread matched with the target operation information in the log file as the identification of the realization thread of the target system function for acquiring the user privacy information.
Optionally, the positioning module 330 is configured to: acquiring a call stack of an origin thread in a log file, and searching a function name of a first non-operating system from the call stack according to the sequence from the stack bottom to the stack top; and locating the risk code matched with the origin thread according to the function name of the first non-operating system.
The risk code positioning device provided by the embodiment of the invention can execute the risk code positioning method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. Fig. 4 shows a block diagram of an exemplary device 12 suitable for use in implementing embodiments of the present invention. The device 12 shown in fig. 4 is merely an example and should not be construed as limiting the functionality and scope of use of embodiments of the present invention.
As shown in fig. 4, device 12 is in the form of a general purpose computing device. Components of device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, a bus 18 that connects the various system components, including the system memory 28 and the processing units 16.
Bus 18 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, micro channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Device 12 typically includes a variety of computer system readable media. Such media can be any available media that is accessible by device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache memory 32. Device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from or write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, commonly referred to as a "hard disk drive"). Although not shown in fig. 4, a magnetic disk drive for reading from and writing to a removable non-volatile magnetic disk (e.g., a "floppy disk"), and an optical disk drive for reading from or writing to a removable non-volatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In such cases, each drive may be coupled to bus 18 through one or more data medium interfaces. Memory 28 may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored in, for example, memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment. Program modules 42 generally perform the functions and/or methods of the embodiments described herein.
Device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), one or more devices that enable a user to interact with device 12, and/or any devices (e.g., network card, modem, etc.) that enable device 12 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 22. Also, device 12 may communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, such as the Internet, via network adapter 20. As shown, network adapter 20 communicates with other modules of device 12 over bus 18. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with device 12, including, but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
The processing unit 16 executes various functional applications and data processing by running programs stored in the system memory 28, for example, implementing the risk code localization method provided by the embodiment of the present invention.
Namely: a method for positioning risk codes is realized, which comprises the following steps: running test is carried out on an application program to be tested installed in an operating system, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; and according to the implementation thread recursion inquiring thread record file, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
Example five
A fifth embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program for executing a risk code localization method when executed by a computer processor, the method comprising:
Running test is carried out on an application program to be tested installed in an operating system, and after the test is finished, a log file and a thread record file corresponding to the operating system are obtained; the log file comprises description information of at least one system function executed by the operating system in the test process, and the thread record file comprises a calling relation between threads of the operating system in the test process; analyzing the log file and identifying the realization thread of the target system function for acquiring the user privacy information; and according to the implementation thread recursion inquiring thread record file, acquiring an origin thread matched with the implementation thread, and positioning a risk code matched with the origin thread.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.